Solved

How to allow only 40 users to run .exe for  a particular program\ 30 computers\ or user basis

Posted on 2016-09-14
24
90 Views
Last Modified: 2016-09-20
Hi

I have installed Visual studio on only 30 PCs. When they run the project , it says "Error while running the project: unable to start the program \\File server-a\Students\16\16asmith\visual studio 2015\Projects\WindowsApplication4\bin\Debug\Windowsapplication.exe"
This program is blocked by group policy.

 Our AD is structure this way
We have a separate  User workstations OU  (Under this)                                                -Education Workstation OU
                                                          -Room 45 OU
                                                              PC1, PC2, .... PC30
                                                          -Room 46 OU
                                                              PC31, PC32...PC60
We will be using only Room 45, where Visual studio is installed.

On the User Student OU
                         - Class16
                         - Class 17
                         - Class 18
                          - Class 19
On the Class 16  OU there are 20 students and on Class17 OU there are 20 students.


Now I want only the students in Class16 and Class 17 ( total 40 students)  to run exe file, so that Visual studio projects runs successfully.
Do i need to create a separate GPO for this \Create a security group to run.exe and add only the 40 users to this group to run.exe
Or create a GPO to run .exe only for visual studio program.
Please let me know if there is a best way of doing this. Any tutorials will be great.
Thanks in advance
                                                               

                                                                   -
0
Comment
Question by:lianne143
  • 12
  • 11
24 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41798703
Are you wondering what "This program is blocked by group policy" means and how it can be overcome?
In that case, inform yourself about applocker policies and software restriction policies, those seem to be actively blocking unknown executables.
0
 

Author Comment

by:lianne143
ID: 41798755
We use Windows 7 professional, and please let me know in my situation how I can setup applocker policy \software restriction policy for VS2015 to work.
I am not very good at active directory.
Thanks
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41798774
You'd need to open rsop.msc on such a client pc and see if rsop shows a configured software restriction policy at computer configuration - windows components - security settings - software restriction policies.
If there is one configured, it will show the GPO name. Then, have someone in charge of GPO settings modify it so that your program gets whitelisted.
0
 
LVL 2

Expert Comment

by:Brad99
ID: 41798821
You should check, if the error message really comes from applocker gpo configured. In the past we also saw at some programs on the clients this message popping up but it had nothing to do with the real applocker part but rather a mixture of old application, UAC and msiexec / Installer Engine issue.
You can verify on the client inside eventlog
check inside eventvwr.exe application llogs -> Microsoft -> Windows -> Applocer and there inside the exe/ dll part. If applocker blockes something based on gpo settings configured like not allowing unknown exe from shares without excluded it will be shown here.

BR
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41798823
emu, she runs the pro edition = no applocker.
0
 

Author Comment

by:lianne143
ID: 41799783
Please let me know in my case as  we use Windows7 Professional edition ,
Is there a different way to setup this policy
Or do I need to reinstall to  Windows 7 enterprise edition
Thanks
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41799850
Read my comment, I told you where to look, it applies to the pro version.
0
 

Author Comment

by:lianne143
ID: 41800145
Ok Thanks

Please see the snapshot.
I had logged into the Room45-PC1 as domain\administrator and did a RSOP , Please see the snapshot. Looks like no software policies are configured under computer configuration.
I have to make this software up and running for only for 40 users and please your help much appreciated.
Please post next steps and guide me!
Thanks again
RSOP-Snap2.pdf
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41800231
Funny, that error message indicates that the policies are active while rsop says, they are not. Please have a look at the registry pendant of that policy: KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths would be a path. Have a look at it, is it populated with content?
0
 

Author Comment

by:lianne143
ID: 41800273
I cant see any thing populated at this path in the registry . Will it be because I have logged into  and a Domain\administrator and running the RSOP.
Registry-pendant-of-this-policy.png
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41800303
No, it does not matter who is logged on. Ok, so no policies are active. Please provoke such a blocking and make a screenshot and upload it. Also look into the application event log for traces like those shown here: http://windowsitpro.com/systems-management/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-appli
0
 

Author Comment

by:lianne143
ID: 41800425
By applying the following command on the command prompt,  i enabled verbose SRP trace logging

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /d c:\logs\srplog.txt

After applying the command above , I ran RSOP and went to eventvwr.msc and cant see any events related to 865,866,867  and 868.

Hope I am doing the correct steps . Also VB2015 is afresh setup
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41800534
Please upload a screen shot and after that, look into the application eventlog for traces.
0
 

Author Comment

by:lianne143
ID: 41800604
RSOP and events viewer screen shot  attached, cant see any events such as 865,866,867  and 868
Win-7-RSOP.png
Events.png
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41800613
You don't seem to understand. I asked for a screenshot of the error message. And I asked you to look at the application event log after provoking the error. Or is there no trace inside the application event log section?
0
 

Assisted Solution

by:lianne143
lianne143 earned 0 total points
ID: 41800649
I provoked the error yesterday on the VB installed PC, so the events are yesterdays date. This is the error I get.
Thanks
VS-error-on-Win7-PC.png
Events-ID-866.png
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41801070
Finally you have proof that I was right, it is a software restriction policy as the event log shows.
Please revisit rsop.msc and go into the software retsriction policies section and open what your screenshot does not show: "additional rules" and make a screenshot.
0
 

Author Comment

by:lianne143
ID: 41801147
Thanks so much , Your are right!
I cant see anything defined on the "additional rules"

But I went to the AD and below the student users OU ie "Student OU"  I can see a GPO is applied called as "Student policy" and if I edit this policy- User configuration-Windows  settings-security- and in the software restriction policies , I can see  policies defined.

 Student OU
             "Student policy"-GPO
                          >Class16
                          >Class 17
                          >Class 18
                          >Class 19
Additional-rules.png
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41801171
Super. Modify those policies. Since rsop told us before, that the default setting is unrestricted, you can be sure that the active policies are blacklisting policies. Now you just have to find the settings that blacklist the network paths where your executable is located.
0
 

Author Comment

by:lianne143
ID: 41803747
I have identified the path of the WindowsApplication .exe and this file is saved to the fileserver-a, as shown below:Plaese see the attached snapshot.

\\File server-a\Students\16\16asmith\visual studio 2015\Projects\WindowsApplication25\WindowsApplication25\bin\Debug\Windowsapplication25.exe"

Whenever a new project is created and when it is made to run, different folders ( WindowsApplication....)are created within Visual Studio 2015 as shown below:

Visual Studio 2015\Projects\WindowsApplication23\WindowsApplication23\bin\Debug\Windowsapplication23.exe"
Visual studio 2015\Projects\WindowsApplication24\WindowsApplication24\bin\Debug\Windowsapplication24.exe"
Visual studio 2015\Projects\WindowsApplication25\WindowsApplication25\bin\Debug\Windowsapplication25.exe"

I have installed VB2015 on only on Room45 OU. Please suggest, if it is possible to allow the students to run this application only on Room45OU \ Will it be possible to set up this way :Under the User Student OU, there are 5 sub OU, so that only some students within  Class 16 and Class17 will need access to the VB2015.

I am concerned if I allow the .EXE on this path \\File server-a\Students folder…   we have 600 students and it will not be safe to allow .exe for all. Please correct , if I am wrong!
Please let me know, how to proceed and how to delete the corresponding blacklist paths.
Thanks
snap-of-WindowsApplication-folders.png
WindowsApplication-EXE-location.png
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41803930
Lianne, someone at your place has setup these software restriction policies ("SRP"). He would be able to handle this. If he's no longer working for you and you have no idea how to solve this (please don't take it offensive but I have to say that's how it seems), then you'll need to learn SRP. SRP is a very critical subject, where misconfiguration will have grave consequences. Please don't rely on a forum to resolve this.

At least, setup a test system and stage what you try to do. For anyone in the know, allowing an exe is a matter of one minute since allow rules trump all deny rules. You would setup a policy with the path to your executable and allow it (create an explicit allow rule). and then have that GPO apply to all machines where this exe should be usable. You cannot apply it to certain users since it is a computer policy.
0
 

Author Comment

by:lianne143
ID: 41803972
Hi Mcknife
I understand  and appreciate you thoughts on this. I things breakup there are backups to restore and not going to blame the EE forum, I would like to sort this problem myself. I know you have helped to this stage and don't want to give up sorting this problem!
Thanks for letting me know that I cannot apply it  to certain users, since it is a computer policy.
I will now create a computer policy but , please post example tutorials - to setup a policy with the path to the VB executable and allow it (create an explicit allow rule).

Thanks
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41803995
0
 

Author Comment

by:lianne143
ID: 41806306
Thanks for all you help, Much appreciated!
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Synchronize a new Active Directory domain with an existing Office 365 tenant
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now